The Smash and Grab Pentest

Penetration testing is a lot like stealing jewelry. There are two basic options, either plan the heist carefully, cut the alarm, pick the lock, and blackout the security cameras or kick in the front door, bust open the jewelry cases, stuff your bags, and get out before the cops show up. Of course the best option is to take the time to plan the heist because if it’s done correctly no one gets arrested and a lot of money is made. Sometimes though, the smash and grab is the only option available.

To perform a carefully planned penetration test, study the Penetration Testing Execution Standard (PTES) at This is how every penetration test should be done but unfortunately, the sales guys and management haven’t read the PTES and therefore don’t allocate enough time or money to do a proper pentest. This is when the smash and grab becomes necessary.

Kick In the Front Door

Use the social engineer toolkit (SET) to get meterpreter or shell access to an internal box, which is easier than it should be. Other options include owning a ColdFusion server or finding a Tomcat Manager server or other admin console with weak or default credentials.

Bust Open the Jewelry Cases

After gaining administrative access to a machine, dump the password hashes and crack them; Ophcrack or rcracki_mt are particularly good at cracking LM hashes. Typically, the local administrator password is shared among machines throughout the internal network.

Another option is to migrate into a process that is running as a domain administrative user. There may be a service set to run under a domain admin account or the user on the box may have domain administrative privileges. If I get domain admin privileges this way I like to create my own domain admin account using net user username password /ADD /DOMAIN and net group "Domain Admins" username /ADD /DOMAIN. Make sure to remove the account when finished using net user username /DELETE /DOMAIN.

Stuff the Bags

After gaining administrative access to multiple machines, mount Windows shares on as many boxes as possible and look for sensitive data. Focus particularly on the data that makes the client money.

That is the basic smash and grab method I use on a regular basis. Feel free to share your smash and grab strategy as well.

2 responses to “The Smash and Grab Pentest

  1. Insightful post, but could you please expand on “Use the social engineer toolkit (SET) to get meterpreter or shell access to an internal box” – this seems to be the hardest part of the whole “smash & grab” approach.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s